The Keycloak LDAP User Federation provider is a component of the popular open-source identity and access management platform, Keycloak. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
You're affected if you use A flaw was found. Specific version info not stated in the advisory.
Upgrade to Keycloak 14.0.0 or later.
- Apply the patch from the official Keycloak repository: https://github.com/keycloak/keycloak/releases/tag/14.0.0
- If immediate upgrade isn't possible, apply the following mitigations:
- Disable the LDAP User Federation provider in the Keycloak admin console.
- Restrict network access to your Keycloak instance (firewall it from the public internet).